The privacy Amendment (Notifiable Data Breaches) Bill 2016 has passed into law and will come into effect within the next 12 months.
The amendments require organisations governed by the Privacy Act, with an annual turnover of more than $3m, to provide notice to affected individuals and the relevant regulator when particular kinds of security incidents compromise personal information.
“The requirement to notify certain data breaches will increase the exposure that data breach incidents receive in society, which will in turn increase the likelihood of claims arising,” says James Morse, litigation and dispute resolution partner at law firm DLA Piper.
“While the mandatory data breach notification regime does include a mixed subjective/objective test in terms of whether the relevant disclosure thresholds are met, when coupled with the recent 2014 tightening of the general privacy regime in Australia, it is clear that the regulatory focus has shifted from education on risks to potential liability where information risk is not managed adequately, and cyber claims are, therefore, likely to result.”
Those cyber claims, Morse says, are likely to be extremely technical and demand “a rapid but specialised response”.
“Cyber events also have an inherently global dimension, and the complexity and diversity of breach notification requirements across the world are expected to increase in the coming years,” he says. “Combined, these impacts represent real risks which businesses are unlikely to be able to adequately address on their own.”
Cyber insurers, Morse says, are “particularly well placed to formulate and mobilise a team of experts to respond to a data breach, across a number of jurisdictions in a very short period of time.”
“That said, even if a business elects not to take out standalone cyber insurance with rapid response cover, it would be well advised to take out a cyber extension on its existing policies – management liability, for example – which is likely to provide valuable, even if comparatively limited, cover in the event of a cyberattack.”
Peter Jones, information technology and data protection partner at DLA Piper, says the degree of impact for any particular business will depend on the extent and sophistication of its operations, its existing and future supplier environment, and the nature of its contractual obligations.
“For example, for international entities with offshore operations already subject to other mandatory breach notification regimes, the impact may be minimal, such as tweaking internal compliance functions,” Jones explains.
“Yet for entities with local footprints only and who do not have experience in managing data breaches or associated notifications, the changes may be significant.
“Perhaps the most immediate impact will be a need for each business to review its privacy regime – including around its supplier environment and contractual obligations – and ensure it has operational and risk management procedures in place to adequately manage a data breach event.”
Morse says it’s the general consensus in the United States that mandatory data breach notification legislation was a catalyst for the increased uptake of cyber insurance.
“Given the Australian laws are stricter than those across the US, one could expect to see a similar increase in the uptake of cyber insurance, at least among those businesses which are not already exposed to other mandatory breach notification regimes,” he says.
“However, and quite interestingly, there was concern among some circles in the US that the influx of mandatory notifications was desensitising society to the seriousness of data breaches, with smaller notifications being lost as background noise in the face of larger breach notifications.
“Some critics of the regime suggest Australia may experience similar notification fatigue, which could eventually undermine the effectiveness of the entire reporting scheme.
“Only time will tell whether or not this, in fact, occurs.”